Decision:

IF information technology is a low priority in the business AND substantial outages are not very important, THEN Take a minimum-cost legal compliance approach,
OTHERWISE IF a non-technical need, such as a reputation issue, drives the protection program, THEN Decide to emphasize security as a key enterprise priority.
OTHERWISE IF maturity is defined or higher, THEN Take a comprehensive risk management approach.
OTHERWISE Don't budget in advance for information protection, spend on a reactive basis when needs occur.

Basis:

Take a minimum-cost legal compliance approach.

This is a common plan. It involves doing only what is legally
mandated and asking legal counsel how to minimally comply. Generally,
this amounts to doing very little in advance of incidents, and having
little budget and expertise in house in the computer security
arena. This in turn leads to protection that tends to be
ineffective. The budgeted costs might be in the range from 1% to 5% of
total IT budget for this case. For every $500 computer, only $5 or so
per year would be spent on administration and security, not enough to
even afford antivirus software on most PCs. Information technology has
to be a pretty low priority for this to be the case, and of course
incidents like a computer virus infestation will end up costing a lot
more than they would if they were properly guarded against.

Take a comprehensive risk management approach.

In this approach, management balances spending with risks so as to
optimize business performance. A systematic approach to risk
management means understanding consequences, threats, and
vulnerabilities as appropriate, and making decisions to avoid,
transfer, reduce, or accept risks based on the business sensibility of
the available options. Over time and experience, this leads to
optimization of spending and utility. We advise this approach for any
business with annual IT budgets in excess of $100,000. For smaller
businesses, the cost of the risk management process itself starts to
become so expensive that it dominates security costs. To put this in
perspective, a business with this budget probably doesn't have even
one full time person working in systems and network administration and
likely has less than 20 total computer users. For companies that have
used risk management effectively, systems administration and security
costs tend to range from 5% to 20% of annual budget, depending on the
specifics of the situation.

Decide to emphasize security as a key enterprise priority.

This approach tends to arise from one of two scenarios. One scenario is
that a company sells security to others or is run by a security
fanatic. In this case, the presence of more and better security is a
matter of pride and proof that security can work. But even these
companies must eventually make sensible decisions or go out of
business. The other scenario is that a company is hit again and again
or so hard that it starts to lose the faith of the market. In an
effort to regain this faith, such a company might go to extremes in
trying to achieve security, even at the expense of a great deal of
inefficiency. In both cases this is an issue of reputation and brand,
and not a technical or analytical decision.

Don't budget in advance for information protection, spend on a reactive basis when needs occur.

This ultimately means that no actions are taken in advance for
security. This means that regulatory violations are likely, company
computers will be used to attack others, financial records and
payables and receivables will be alterable, and so forth. Except in
the smallest of businesses, this is certain to lead to big
trouble. Computer viruses and worms will run rampant, company
computers will be exploited by attackers against others, and credit
card data and customer lists will be taken. Civil or criminal
liability may also result from this approach.

Typically, systems and network administration and security costs
should be on the order of 5-20% of the annual IT budget. It is hard to
differentiate systems and network administration budget from security
budget because it is usually the systems administrators who do the
security implementation, and it is hard to differentiate the time
spent on properly administering systems and networks from the time
spent in securing them and responding to attacks. In the day-to-day
activities of a good systems and network administrator, approximately
half of their effort is security oriented, but it is common for days
on end to be spent in reacting to an incident or implementing a new
technical change, and these times are rarely accounted for properly.